Are deepfake fraud risks overhyped? Where enterprises are exposed
Deepfakes are the hot new enterprise risk. British engineering group Arup lost $25 million recently after scammers used AI deepfakes to falsely pose as the group’s CFO and request transfers from an employee to fraudulent bank accounts.
But will deepfakes become the number one avenue for fraudsters to steal money? Likely not. There are far more common and pervasive cyber fraud attack methods, specifically business email compromise (BEC) schemes. Data shows that 83% of companies faced an increase in cyber fraud attempts from activity such as BEC attacks, hacking and highly sophisticated phishing schemes. In fact, fraudsters use BEC scams (31%) and hacking (31%) more often than deepfakes (11%) to dupe organizations.
Deepfakes are still a threat and it’s important for corporates to take steps to fight these types of attacks. But don’t get caught up in the hype and overlook BEC schemes as a critical point of entry. Actively bolster organizational defenses now.
Today’s cyber fraud landscape
Cybersecurity and fraud prevention are now inextricably intertwined. The vast majority of cyberattacks are perpetrated to commit financial crimes such as payment fraud. Ninety-six percent of U.S. companies faced a payment fraud attempt in the past year, a 71% increase from the prior year.
Once a cybercriminal breaches a company’s internal defenses, they go on the prowl to find weak links where they can steal money. The weak link is often human workers — especially those with access to financials and payments. A recent study found that 31% of employees made errors that could impact the security of their workplace. Falling victim to phishing scams and sharing passwords with colleagues were cited as top mistakes. Finance, treasury and procurement teams have become targets of fraudsters because they hold the purse strings.
As AI advances, cybercriminals are scaling BEC attacks across thousands of companies simultaneously. AI is also making it significantly easier for fraudsters to write convincing phishing emails that are difficult for even the trained eye to spot as fraud. Social engineering-based BEC attacks have risen by 1,760% in the past year, mostly fueled by the advancements in generative AI.
The main reason why BEC attacks are a far greater threat comes down to a general comfortability in certain channels of communication. Most professional workers would not share payment details or authorize a transaction on a video conference line. Sharing this sensitive information over email is much more common, making BEC attacks the one to watch for.
Most organizations have robust firewalls, secure operating systems and intrusion detection systems but BEC attacks bypass these preventative measures through social engineering techniques where employees give up sensitive information over email and enable hackers to infiltrate their systems. These types of attacks can be much harder to spot, control and avoid.
For example, a fraudster may use a sophisticated phishing email to extract important information about a company’s payment process and target employees with access to that sensitive information. They will use an aggressive social engineering email scheme to trick that employee in charge of the payment information into wiring a seemingly real business payment to a fraudulent bank account.
Most leaders believe their investments in cybersecurity measures are enough, but cybersecurity only goes so far if not backed by strong fraud prevention mechanisms.
Where enterprises are exposed
There are several main types of BEC scams where enterprises are exposed.
- Invoice fraud: These appear to be emails from legitimate suppliers with real invoices, but the bank accounts belong to fraudsters. Thirty percent of U.S. companies faced this type of attack in 2023.
- CEO/CFO fraud: Emails from the CEO or senior executives’ accounts will request transfers of funds to fraudulent accounts. This type of attack is the third most common type of fraud.
- Hacked accounts: An employee’s email account will request invoice payments from suppliers. Payments are diverted to the scammer’s account.
- Data theft: Employees in HR and accounts departments are targeted for personally identifiable information (PII) or tax information on employees. This can be used to divert payroll funds.
- Law firm information requests: Emails seemingly from a company’s law firm will request confidential information.
Sophisticated BEC attacks are varied and challenging to spot, meaning enterprises should prioritize the following defensive measures in the second half of 2024.
Three steps to protect against BEC attacks
Companies have three clear steps they can take to fight back against BEC attacks.
1. Implement two lines of defenses
Data breaches have surged to an all-time high, with over 17 billion records compromised in 2023. Despite significant investment in cyber defenses, it’s not working. Fraud prevention investment is lagging, with only 28% of companies reporting they have fraud prevention tech in place.
Consider implementing fraud prevention software that will stop fraudsters in their tracks by using automation to confirm that each business payment is going to a legitimate bank account that matches the company they are supposed to be paying. Even if a criminal gets access to a vendor’s email account and requests a payment to a fraudulent bank account, technology can flag the illegitimacy of the bank account before the fraudster steals millions.
2. Ensure payment data is accurate
Companies often think that the risk of fraud comes from the payment itself. In fact, the risk comes from the payment data. Large companies work with thousands of vendors. Vendor data is not always accurate or up-to-date. It is estimated that 30% of existing vendor data in financial systems is outdated, whether because a vendor decides to work with a new bank, is acquired by another organization, or another reason. Those changes don’t always get captured in organizations’ vendor databases, which exposes them to fraud.
Preventing fraud requires regularly and actively screening and cleaning vendor data, making sure it’s up to date and then validating the account at the time of payment so organizations are confidently paying the right vendor every time.
3. Enable collaboration across internal teams associated with payments
Finance, treasury and procurement professionals all share responsibility for fraud prevention. Each plays a different role. But today, most of these teams operate in silos, with little to no communication and visibility around payments. And often, each team thinks the other is primarily responsible for the fight against fraud.
The moments in between process handoffs can easily be exploited by fraudsters using sophisticated BEC attacks. They could request a change to bank account information right after the finance team takes over, without procurement knowing or being able to confirm whether the change is fraudulent. It’s important to create a culture of collaboration with the teams associated with payments — and enable them with technology that can monitor the potential risks and enable teams to address them before fraud happens.
Looking forward
Deepfakes are the shiny new toy for fraudsters. As deepfakes enter the cybersecurity and fraud prevention conversation, outsized hype has been placed on their risks. It’s important that leaders do not overlook BEC attacks, as they are a critically vulnerable entry point for fraudsters to swipe millions.